Are you an ostrich? Many business leaders are when it comes to cybersecurity — standing upright but with your head in the sand. You think “I’m just a small business, who would want to bother with me?” But the fact is that small businesses are always a target, and even more so since COVID-19.
There are a few things every leader out there should understand, whether they run a five-person bakery or a 500-person marketing agency.
Cyber Criminals No Longer Need Sophisticated Skills
Just like you buy a program to run your invoices or control your inventory, cyber criminals can buy a program to hack your system. Forget that image you have of a computer savant in a hoodie lurking in a dark basement. Now anyone can be a cyber criminal if they buy the right program. It’s not just the “big game” companies that have to worry today. In fact…
Small Business Is at Higher Risk Than Ever Before
It is so easy for cyber criminals to start up a business. And they more often live in countries where the dollar goes a lot farther. So even a small payout of a few hundred dollars on each interaction is worth the risk and investment.
Then consider that many big companies have large IT teams and sophisticated cybersecurity plans. If you were a cyber criminal, would you go after them? Or would you target the smaller guy down the road who thinks his antivirus software protects him from everything?
Add to that the massive opportunity that COVID-19 has created. Almost overnight, workers were home, often working on personal computers and unsecured networks. This change in communication styles and methods has made people more vulnerable to phishing attacks.
The Cost Of Prevention Is a Fraction of The Cost Of Recovery
In 2019, the average cryptolocker key (to reopen files locked during a ransomware attack) cost $12,000. Now it’s $90,000. So, it really pays to invest a small amount of money on cybersecurity to prevent and thwart these attacks rather than the huge amount of money to recover after one.
But it’s not just the cost of the ransom you have to consider. First, there is no guarantee that if you pay the ransom, the cyber criminal will provide the key to unlock your site and it will work. Then, you have to factor in the cost of downtime, notifications to clients and regulators about the breach. If you have HIPAA, for each social security number that goes out, you could face cost and liability.
We’ve had client networks attacked by ransomware and we’ve brought every one of them back to life without paying ransom. We restored them through backups that were not compromised because they were set up to be less vulnerable.
Firewalls and Software Can Only Get You Part of the Way
The fact is that today, you can have the best firewall in the world and still get hacked. The reason? People. Despite the way the world may seem sometimes, people are generally trusting and quick to respond — at least when it comes to their emails. They click with no suspicion. They react immediately to anything that appears to have urgency. Preying on people through email is called social engineering and it is the number one way criminals access a network.
As a business leader, you know people are your biggest asset. But in terms of cybersecurity, they are your weakest link. You need to invest in training them to spot suspicious activity and start a “call before you click” policy of verifying requests before acting on them.
Cyber Criminals Could Be in Your System Now (And You Wouldn’t Know It)
We imagine that hackers get in, steal data or plant viruses and leave. The reality is that cyber criminals gain access to minor systems and then study you, your company and your employees, gathering data and determining the best places to attack.
They also watch social media. They know you are on vacation in Mexico, so it’s a perfect time to email your new, eager employee “Bill” with an urgent message that you were in a car accident and need him to go out and buy Visa gift cards and call you with the numbers.
That kind of phishing email works because of the data hackers gathered on your systems. They identified the right email template and language to look authentic. And, they discovered that Bill was new and more likely to fall for the bogus request.
Ransoms Are Only One Potential Cost
When bad actors get into your system, they can use the information they gather in a variety of ways, including phishing and ransomware attacks. But they can also be even trickier.
One company found that a cyber criminal had reached out to all their clients and invoiced them, directing payments into the cyber criminal’s account. The business was out $200,000 in revenue before the criminal activity was discovered.
At another company, cyber criminals broke into the telecom systems and rerouted calls through a foreign country. The company only found out when a $40,000 telecom bill came.
Cyber Insurance Alone Offers Little Protection
As cyber criminals have become more sophisticated, so have cyber insurance policies. They cover things like incident response, business interruption and may even pay ransoms, depending on the policy. Some small business leaders think if they have cyber insurance, they’re covered and they don’t need to invest in cybersecurity. But that is not necessarily the case.
As with any insurance coverage, claims have to go through an approval process. We’ve seen claims be denied based on the insurers’ argument that companies weren’t doing their due diligence to protect their networks. So even if you have cyber insurance, you need to have a plan and be able to show the history of actions to secure your systems. If you don’t move your security plan forward, your cyber insurance may not pay out.
Longer, Better, Ever Changing Passwords — Really
We are lazy as humans and we don’t want to learn long passphrases. This may be especially true of leaders and executives who don’t want to waste time fumbling through a password bank or using an frustrating authenticator app. As a leader, you need to move past this stance and lead your team in adopting better online security practices that will, in turn, protect your business.
You have to get real about passwords. As a password, Fluffy2018 is not really going to help you. It needs to be Fluffyisameanoldcat!3752. And it must be changed regularly.
Embrace multi-factor authentication (MFA) — when you log in from a new device or after a period of time, MFA requires an additional code from an app on your phone (among other methods). Yeah, it’s a pain to have to enter a code every 30 days when you login, but it’s the single best thing you can do to secure your system.
It Doesn’t Have to Be All at Once
The first step of a cybersecurity plan is always analysis. We find out where things are weak and where there is the most risk. Then we lay out bite-sized, doable plans for each business.
For example, what if your whole team is dispersed and working from home? No problem. We can start there and adjust once the office reopens, if needed. There is a lot to do, of course, but it’s done over time.
Security isn’t something you do one time. It’s an ongoing process.